Skip to content

Instantly share code, notes, and snippets.

Kazuho Oku kazuho

Block or report user

Report or block kazuho

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile

Keybase proof

I hereby claim:

  • I am kazuho on github.
  • I am kazuho ( on keybase.
  • I have a public key ASAmVek0sSMqTlxwht0ZFkBBQmfHQh54kFN_qlidHhFsVQo

To claim this, I am signing this object:

View gist:adad1d6a9f50fac17bde66894a330aee
struct on_connect_body_t {
enum { none, vec, streaming };
union {
h2o_iovec_t vec;
struct {
h2o_iovec_t first;
h2o_httpclient_proceed_req_cb *proceed;
size_t content_length;
} streaming;
View utsname.c
* prints something like:
* sysname: Darwin
* release: 16.7.0
* version: Darwin Kernel Version 16.7.0: Wed Feb 27 00:29:57 PST 2019; root:xnu-3789.73.43~1/RELEASE_X86_64
* machine: x86_64
#include <stdio.h>
#include <sys/utsname.h>
View h2o.conf
num-threads: 1
port: 8080
port: 8443
certificate-file: examples/h2o/server.crt
key-file: examples/h2o/server.key
kazuho / gist:250d55ce6e06fc125f69841488320276
Created Aug 7, 2018
./cli -v -p /100000.txt with udpfw -D 5 -I 100
View gist:250d55ce6e06fc125f69841488320276
{"type":"accept", "conn":0, "time":1533649557458, "desc":"b263412c5ff28411"}
{"type":"crypto-decrypt", "pn":0, "len":356}
{"type":"stream-receive", "stream-id":-1, "off":0, "len":352}
{"type":"crypto-update-secret", "is-enc":1, "epoch":2}
{"type":"crypto-update-secret", "is-enc":0, "epoch":2}
{"type":"crypto-update-secret", "is-enc":1, "epoch":3}
{"type":"crypto-handshake", "tls-error":0}
{"type":"receive", "conn":0, "time":1533649557460, "len":887, "first-octet":252, "desc":"b263412c5ff28411"}
{"type":"send", "conn":0, "time":1533649557460, "desc":""}
{"type":"packet-prepare", "first-octet":255}
kazuho /
Last active Jul 11, 2018
Why you need a prefix for ESNI

Why you need a prefix for ESNI


Some CDNs allow their customers to bring in their own DNS. Some do not provide DNS service at all, requiring every customer to bring in their own DNS.

The customer's DNS will have a zone definition like the following:

View gist:9f11dd5537c5cd172b3ed4ef97fd432d
$ build/openssl110/cli 4433 <-- the adddress with _esni record
hello world
esni: yes
$ build/openssl110/cli 4433 <-- same address without _esni record
hello world
esni: no
View save_client_hello.c
static int save_client_hello(ptls_on_client_hello_t *self, ptls_t *tls, ptls_iovec_t server_name, const ptls_iovec_t *protocols,
size_t num_protocols, const uint16_t *signature_algorithms, size_t num_signature_algorithms)
ptls_set_server_name(tls, (const char *)server_name.base, server_name.len);
#if 0 // you might want to save ALPN as well
ptls_set_negotiated_protocol(tls, (const char *)protocols[0].base, protocols[0].len);
return 0;
View gist:cca28097bf5a89eaf51f31a873a4bda8
$ openssl s_client -connect
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
kazuho / gist:6ace6cb277e977b89f283be7631b977f
Last active Apr 26, 2018
`new_aead` function that can be used to build QUIC draft-11 AEAD
View gist:6ace6cb277e977b89f283be7631b977f
static int qhkdf_expand(ptls_hash_algorithm_t *algo, void *output, size_t outlen, const void *secret, const char *label)
ptls_buffer_t hkdf_label;
uint8_t hkdf_label_buf[16];
int ret;
ptls_buffer_init(&hkdf_label, hkdf_label_buf, sizeof(hkdf_label_buf));
ptls_buffer_push16(&hkdf_label, (uint16_t)outlen);
ptls_buffer_push_block(&hkdf_label, 1, {
You can’t perform that action at this time.